GlucoSensor™ Q
Version: V010726
Effective date: 1 July 2026
Issued by: Maralvion sp. z o.o.
Applicable product: GlucoSensor™ Q Continuous Glucose Monitoring System, Model D1
Website: www.glucosensor.com
Contact: support@glucosensor.com
ARTICLE 1. INTRODUCTION AND KEY PRIVACY INFORMATION
1.1 Maralvion sp. z o.o. (“Maralvion”, “we”, “us” or “our”) respects your privacy and is committed to protecting your Personal Data.
1.2 This Privacy Policy explains how Maralvion collects, uses, stores, discloses, transfers and otherwise processes Personal Data when you visit the Website, use the webshop, create or use an Account, place an order, use the App, use the GlucoSensor™ Q System, contact customer support, receive communications from us or otherwise interact with GlucoSensor™ products, services, digital services, the Website or the App.
1.3 The GlucoSensor™ Q System generates glucose related information through the Sensor and the App. This information may qualify as Health Data and special category Personal Data under the GDPR where it relates to an identified or identifiable User.
1.4 Maralvion treats glucose related information as Health Data regardless of the context in which you use or describe the GlucoSensor™ Q System, including diabetes management, glucose awareness, nutrition, weight related lifestyle goals, sports, wellness or another user context. This classification is made for data protection purposes only. It does not expand, change or replace the certified intended purpose, target population, indications, contraindications, warnings, limitations, product labelling, mandatory regulatory information or conditions of use applicable to GlucoSensor™ Q.
1.5 As a key privacy point, CGM Data and glucose readings generated during ordinary App use are primarily processed and stored locally on the User’s mobile device. Maralvion does not routinely store raw glucose readings or full CGM history on its own servers as part of ordinary App use. Maralvion may process limited CGM Data, Health Data, Device Data, Sensor Data or related information outside the User’s mobile device where this is necessary for a specific App feature, Share & Follow functionality, report export, customer support, technical support, complaint handling, sensor replacement assessment, product safety, medical device vigilance, post market surveillance, quality management, regulatory compliance, security, legal claims or another lawful purpose described in this Privacy Policy.
1.6 In summary:
(a) Maralvion is the Controller for the processing described in this Privacy Policy, unless expressly stated otherwise;
(b) CGM Data and glucose readings are primarily processed locally on the User’s mobile device during ordinary App use;
(c) Health Data is processed only where a valid legal basis and a valid condition for processing special category Personal Data apply;
(d) Health Data, CGM Data and Sensor related health information are not sold;
(e) Health Data and CGM Data are not used for general advertising, general marketing, behavioural advertising or audience building;
(f) Share & Follow functionality is controlled by the User, subject to the technical options available in the App;
(g) medical device safety, complaint handling, vigilance, post market surveillance, quality management and regulatory compliance may require certain information to be retained, used or disclosed even after Account closure, App deletion or withdrawal of consent; and
(h) access to Personal Data from outside the European Economic Area may occur only where necessary, lawful and subject to appropriate safeguards.
1.7 This Privacy Policy should be read together with the applicable:
(a) App EULA;
(b) Legal Disclaimer for the GlucoSensor™ Q App;
(c) Website EULA and Terms of Use;
(d) General Delivery Terms;
(e) Returns and Refund Policy;
(f) Sensor Replacement Policy;
(g) Instructions for Use (IFU), product labelling, safety notices and mandatory product information; and
(h) Website Legal Disclaimer.
1.8 Product instructions, product labelling, safety notices, mandatory regulatory information and the Instructions for Use (IFU), where applicable, govern the correct and safe use of GlucoSensor™ Q. This Privacy Policy explains privacy and data protection matters and does not replace, amend or expand the certified intended purpose, product instructions, product labelling or mandatory safety information.
1.9 In the event of any inconsistency concerning privacy or data protection matters, this Privacy Policy applies. In the event of any inconsistency concerning the official intended purpose, indications, contraindications, warnings, limitations, CE marking, product identification or mandatory information required for safe and correct use of GlucoSensor™ Q, the applicable product labelling, mandatory regulatory information, safety notices and Instructions for Use (IFU) prevail for that specific matter.
1.10 Maralvion processes Personal Data in accordance with the GDPR, applicable national data protection legislation, Regulation (EU) 2017/745 on medical devices (“MDR”) and other applicable laws and regulations governing the processing of Personal Data.
ARTICLE 2. WHO WE ARE AND OUR ROLE
2.1 The Controller responsible for the processing of Personal Data described in this Privacy Policy is:
Maralvion sp. z o.o.
Pl. Władysława Andersa 3
11th Floor
61-894 Poznań
Poland
KRS: 0001235440
Email: support@glucosensor.com
Website: www.glucosensor.com
2.2 Maralvion determines the purposes and means of processing Personal Data relating to the Website, webshop, App, Accounts, orders, payments, deliveries, customer support, product support, marketing communications, product complaints, medical device related cooperation and related business operations described in this Privacy Policy.
2.3 Maralvion acts as Controller for the processing described in this Privacy Policy, unless this Privacy Policy states otherwise or the circumstances show that another party determines the purposes and means of a specific processing activity.
2.4 Maralvion may use Authorised Service Providers to support the operation of the Website, webshop, App, Account environment, customer support, hosting, payment processing, logistics, analytics, marketing, technical support, compliance, administration and related services. Where such providers process Personal Data on behalf of Maralvion, they act as Processors and must process Personal Data under appropriate contractual and data protection arrangements.
2.5 Certain third parties may act as independent Controllers for their own processing activities. This may include payment service providers, app store operators, analytics or advertising technology providers, professional advisers, logistics providers, competent authorities or the Manufacturer where they independently determine the purposes and means of their own processing.
2.6 Dreisam is the legal manufacturer of the GlucoSensor™ Q System. Where Dreisam processes Personal Data for its own manufacturer obligations, product safety responsibilities, technical documentation, vigilance, post market surveillance, quality management, regulatory compliance or legal claims, Dreisam may act as an independent Controller for that processing. Where Dreisam processes Personal Data on behalf of Maralvion, appropriate processor arrangements apply where required by law.
2.7 Questions, requests and complaints relating to privacy or Personal Data may be submitted using the contact details set out in Article 24 of this Privacy Policy.
ARTICLE 3. SCOPE AND RELATED LEGAL DOCUMENTS
3.1 This Privacy Policy applies to the Website, webshop, App, Account environment, orders, payments, deliveries, returns, refunds, subscriptions, customer support, product support, Share & Follow functionality, reports, automated insights, marketing communications, cookies, analytics, App technologies, medical device related processing and related GlucoSensor™ products, services and digital services offered by or on behalf of Maralvion.
3.2 This Privacy Policy applies regardless of whether the Website or App is accessed through a desktop computer, laptop, smartphone, tablet, wearable device or other supported device.
3.3 This Privacy Policy applies to Maralvion’s processing of Personal Data. It does not apply to third party websites, applications, services, platforms, app stores, payment providers, operating systems or devices that are not operated by or on behalf of Maralvion, even where such services are accessible through links, integrations or references provided on the Website, in the webshop or within the App.
3.4 Third party services are governed by their own privacy policies, terms and conditions. Maralvion is not responsible for the independent privacy practices of third parties, except where Maralvion is legally responsible under applicable law.
3.5 Where you choose to share information through Share & Follow functionality, this Privacy Policy applies to Maralvion’s processing of that information within the App and related services. It does not control the independent use, storage, disclosure, copying, forwarding or further sharing of information by the person with whom you choose to share your information.
3.6 Where Personal Data is processed for medical device safety, vigilance, post market surveillance, product complaint handling, quality management, regulatory cooperation or legal compliance, additional obligations may apply under the MDR and related medical device legislation.
3.7 This Privacy Policy does not provide medical advice, product safety instructions, treatment guidance, emergency instructions or instructions for use of GlucoSensor™ Q. Such matters are addressed in the Instructions for Use (IFU), product labelling, safety notices, App warnings, the App EULA and the Legal Disclaimer for the GlucoSensor™ Q App.
ARTICLE 4. DEFINITIONS
4.1 In this Privacy Policy, the following terms have the meanings set out below. Terms not defined in this Privacy Policy may have the meaning given to them in the App EULA, the Instructions for Use (IFU), product labelling or applicable law, unless the context requires otherwise.
4.2 “Account” means a user account created or used through the Website, webshop, App, user account environment or another authorised registration flow to access GlucoSensor™ services, log into the App, activate or use App functionality, manage orders, manage support features or use related digital services in connection with GlucoSensor™ Q.
4.3 “App” means the GlucoSensor™ Q mobile application and related digital services made available by or on behalf of Maralvion for use with the GlucoSensor™ Q System.
4.4 “Authorised Representative” means Firsteck Bio S.r.l., acting as authorised representative of the Manufacturer within the European Union where and to the extent indicated in the applicable regulatory documentation.
4.5 “Authorised Service Providers” means third party service providers engaged by Maralvion to support the operation of the Website, webshop, App, Account environment, customer support, hosting, analytics, marketing, payment processing, logistics, technical support, compliance, administration or related services.
4.6 “CGM Data” means glucose related information generated through or in connection with the GlucoSensor™ Q System, including glucose readings, glucose trends, glucose alerts, trend indicators, reports, sensor generated information, glucose statistics, Time in Range information, sensor session information and related information.
4.7 “Controller” means the natural or legal person that determines the purposes and means of the processing of Personal Data.
4.8 “Device” means the GlucoSensor™ Q System where that term is used in the context of CE marking, medical device law, the certificate, product labelling, the Instructions for Use (IFU), manufacturer approved regulatory documentation or mandatory product information.
4.9 “Device Data” means technical, diagnostic, performance related and operational information generated by or relating to the GlucoSensor™ Q System, the Sensor, the App, related software, the User’s mobile device or related technical environment. This may include device identifiers, App version information, diagnostic information, technical logs, connection status information, sensor performance information, sensor session information, System performance information and error information.
4.10 “Dreisam” or “Manufacturer” means Dreisam (Beijing) Medical Technology Co., Ltd., as legal manufacturer of the GlucoSensor™ Q System.
4.11 “GDPR” means Regulation (EU) 2016/679, the General Data Protection Regulation.
4.12 “GlucoSensor™ Q System” or “System” means the CE marked Class IIb GlucoSensor™ Q Continuous Glucose Monitoring system, Model D1, manufactured by Dreisam and made available by Maralvion under the GlucoSensor™ Q brand in selected European markets. The System consists of the Sensor and the App and is intended to be used in accordance with the Instructions for Use (IFU), product labelling and applicable product information.
4.13 “Health Data” means Personal Data relating to the physical or health status of an individual, including glucose readings, glucose trends, glucose alerts, Time in Range information, sensor generated glucose information, health related reports, health related analytics, health related user entries, support information containing health details and related information.
4.14 “MDR” means Regulation (EU) 2017/745 on medical devices.
4.15 “Personal Data” means any information relating to an identified or identifiable natural person.
4.16 “Processing” means any operation performed on Personal Data, including collection, recording, storage, retrieval, consultation, use, disclosure, transfer, restriction, erasure, anonymisation or destruction.
4.17 “Processor” means a natural or legal person that processes Personal Data on behalf of a Controller.
4.18 “Sensor” means the disposable GlucoSensor™ Q sensor assembly supplied in its applicator and intended to be applied, activated, worn, used, removed and replaced in accordance with the Instructions for Use (IFU).
4.19 “Sensor Data” means technical, operational, performance related or identification data relating to a Sensor or sensor session. This may include lot number, serial number, sensor activation information, sensor session status, sensor performance information, sensor error information, sensor replacement information, sensor support information and related technical or operational information. Sensor Data may also include Health Data where it relates to glucose readings, glucose trends, glucose alerts, sensor generated glucose information or other information revealing health status.
4.20 “Share & Follow” means functionality that allows a User to share selected glucose related information, alerts, trend information or related information with one or more persons chosen by the User.
4.21 “User”, “you” or “your” means the individual who visits the Website, creates or uses an Account, uses the App, uses the GlucoSensor™ Q System, contacts Maralvion, receives communications from Maralvion or otherwise interacts with GlucoSensor™ products, services, digital services, the Website or the App.
4.22 “Website” means the GlucoSensor™ website, webshop and related online account environment operated by or on behalf of Maralvion at www.glucosensor.com.
ARTICLE 5. CATEGORIES OF PERSONAL DATA
5.1 Depending on how you interact with the Website, webshop, App, GlucoSensor™ Q System and related services, Maralvion may process the categories of Personal Data described in this Article.
5.2 Identity, Account and Contact Information. This may include name, age confirmation or date of birth where required, username, Account credentials, Account identifiers, customer identification information, language preferences, country or region settings, email address, telephone number, billing address, shipping address and other contact information provided by you.
5.3 Order, Transaction and Payment Information. This may include information relating to purchases, subscriptions, orders, deliveries, invoices, refunds, returns, payment status, order history, customer service history and related communications. Payment card information is generally processed directly by authorised payment service providers and is not stored by Maralvion unless required for a specific lawful purpose.
5.4 Website, Technical and Security Information. This may include IP addresses, browser information, device identifiers, mobile device model, operating system information, App version information, technical logs, crash reports, diagnostic information, Bluetooth or connection status information where relevant, login records, authentication information, security logs, fraud prevention information and information relating to attempted unauthorised access.
5.5 App, Sensor, Device and System Information. This may include Device Data, Sensor Data, Sensor identifiers, lot number, serial number, sensor activation information, sensor session information, App settings, App permissions, App events, technical status information, diagnostic information, system performance information, sensor performance information, support information and information needed to operate, secure, support or troubleshoot the App and the GlucoSensor™ Q System.
5.6 Health Data and CGM Data. This may include glucose readings, glucose trends, glucose alerts, Time in Range metrics, reports, health related analytics, automated insights, event entries, user entered notes relating to meals, activity, symptoms, medication or lifestyle, Share & Follow information containing glucose related information, customer support information containing health related information and other health related information provided through or in connection with the GlucoSensor™ Q System.
5.7 Local CGM Data. During ordinary App use, CGM Data and glucose readings are primarily processed and stored locally on the User’s mobile device. Maralvion does not routinely store raw glucose readings or full CGM history on its own servers as part of ordinary App use. Such information may nevertheless be processed by Maralvion or its Authorised Service Providers where a specific App feature, User action, support request, complaint, sensor replacement assessment, report export, Share & Follow functionality, technical investigation, product safety matter, regulatory obligation, security issue or legal claim makes such processing necessary and lawful.
5.8 Share & Follow Information. This may include sharing invitations, authorised followers, sharing permissions, shared glucose information, shared alerts or trend information, recipient contact details provided by the User and related configuration settings.
5.9 Customer Support, Complaint and Regulatory Information. This may include support communications, support tickets, complaint information, warranty requests, sensor replacement requests, technical support information, order information, Device Data, Sensor Data, screenshots or App information provided by you, correspondence, adverse event information, serious incident information, vigilance related information, post market surveillance information, quality management information, traceability information, lot number, serial number or sensor session information where relevant.
5.10 Marketing, Cookie and Website Usage Information. This may include marketing preferences, newsletter subscriptions, campaign interactions, survey responses, communication preferences, consent records, unsubscribe records, pages visited, session information, referral information, cookie identifiers, analytics information, advertising interaction information, approximate location information derived from technical data and Website usage patterns.
5.11 Maralvion does not intentionally collect more Personal Data than is reasonably necessary for the purposes described in this Privacy Policy. Where possible and appropriate, Maralvion uses data minimisation, aggregation, de identification, anonymisation or pseudonymisation measures, especially where information relates to Health Data, CGM Data, Sensor Data, product safety, quality management, analytics or regulatory purposes.
5.12 Health Data, CGM Data and Sensor related health information are not sold and are not used for general advertising, general marketing, behavioural advertising or audience building.
ARTICLE 6. HEALTH DATA AND SPECIAL CATEGORY DATA
6.1 The GlucoSensor™ Q System generates glucose related information and other health related information through the Sensor, the App and related functionality.
6.2 Where glucose related information relates to an identified or identifiable User, Maralvion treats that information as Health Data and special category Personal Data under the GDPR.
6.3 Maralvion applies the same privacy protection to glucose related information regardless of whether you use or describe the GlucoSensor™ Q System in the context of diabetes management, glucose awareness, nutrition, weight related lifestyle goals, sports, wellness or another user context. This privacy classification does not expand, change or replace the certified intended purpose, target population, indications, contraindications, warnings, limitations, product labelling, mandatory regulatory information or conditions of use applicable to GlucoSensor™ Q.
6.4 The local processing and storage of CGM Data during ordinary App use is described in Articles 1, 5, 9 and 20 of this Privacy Policy.
6.5 Maralvion may process Health Data, CGM Data, Sensor Data or related information outside the User’s mobile device only where this is necessary and lawful for a specific purpose described in this Privacy Policy, including App functionality, Share & Follow functionality, report export, customer support, technical support, complaint handling, sensor replacement assessment, product safety, medical device vigilance, post market surveillance, quality management, regulatory compliance, security, legal claims or another lawful purpose.
6.6 Health Data is processed only where:
(a) a valid legal basis exists under the GDPR for the processing of Personal Data; and
(b) a valid condition exists for the processing of special category Personal Data.
6.7 For Health Data processing required to provide core App functionality, including glucose display, glucose alerts, reports, automated insights and Share & Follow functionality where applicable, explicit consent is the primary special category condition relied upon by Maralvion.
6.8 For medical device safety, complaint handling, vigilance, post market surveillance, serious incident assessment, field safety corrective actions, recalls, quality management and related regulatory obligations, Maralvion may process Health Data where this is necessary for reasons of public interest in the area of public health on the basis of the MDR and applicable medical device legislation.
6.9 Maralvion may also process Health Data where this is necessary for the establishment, exercise or defence of legal claims.
6.10 Maralvion does not rely on the provision of health or social care or treatment as the basis for processing Health Data. Maralvion does not provide medical treatment, medical diagnosis, professional healthcare services or emergency medical services.
6.11 You may withdraw explicit consent at any time. Withdrawal does not affect the lawfulness of processing carried out before withdrawal.
6.12 If you withdraw explicit consent for Health Data processing required for core App functionality, the App may no longer be able to provide Health Data dependent functionality, including glucose display, glucose alerts, reports, automated insights, historical glucose review or Share & Follow functionality.
6.13 Withdrawal of consent does not prevent Maralvion from retaining or further processing specific Health Data where Maralvion is required or permitted to do so for medical device safety, vigilance, post market surveillance, quality management, regulatory compliance, security, legal claims or another lawful purpose. Such processing is limited to what is necessary for that purpose.
ARTICLE 7. HOW WE COLLECT PERSONAL DATA AND WHETHER IT IS REQUIRED
7.1 Maralvion may collect Personal Data directly from you, automatically through the Website, webshop, App and GlucoSensor™ Q System, through the User’s mobile device, through the Sensor and related App functionality, and, where appropriate, from Authorised Service Providers or other authorised third parties.
7.2 Personal Data may be collected directly from you when you create an Account, place an order, use the Website, use the webshop, use the App, use the GlucoSensor™ Q System, activate or use Share & Follow functionality, contact customer support, submit a complaint, request a sensor replacement, complete forms, subscribe to communications, respond to surveys or otherwise communicate with Maralvion.
7.3 Technical, diagnostic, device related, Sensor related, App usage and security information may be generated or collected when the Website, webshop, App, Account environment or GlucoSensor™ Q System is used.
7.4 CGM Data and glucose readings generated during ordinary App use are primarily processed and stored locally on the User’s mobile device. Such information may be made available to Maralvion only where a specific App feature, User action, support request, complaint, sensor replacement assessment, report export, Share & Follow functionality, technical investigation, product safety matter, regulatory obligation, security issue or legal claim makes such processing necessary and lawful.
7.5 Information may be received from payment providers, logistics providers, customer support providers, analytics providers, advertising providers where permitted by law, app store operators, hosting providers, security providers and other Authorised Service Providers where necessary for the purposes described in this Privacy Policy.
7.6 Where Share & Follow functionality is used, information relating to sharing invitations, authorised followers, shared glucose information, sharing permissions and related configuration settings may be processed.
7.7 Some Personal Data is necessary to enter into or perform a contract with you, to comply with legal obligations, to provide the Website, webshop, Account, App or GlucoSensor™ Q System, or to handle support, safety, regulatory or legal matters.
7.8 Identity, contact, order and payment information is required to create an Account, process orders, fulfil purchases, arrange delivery, handle returns or refunds and meet legal obligations, including tax, accounting, consumer protection and product traceability obligations. Without this information, Maralvion may be unable to create your Account, process your order or fulfil your purchase.
7.9 Health Data and CGM Data are necessary to provide Health Data dependent App functionality, including glucose display, glucose alerts, reports, automated insights, historical glucose review and Share & Follow functionality where available. If you do not provide the required consent, or if you withdraw it, the App may not be able to provide those functions. Your Account, purchases and non Health Data dependent services may continue where legally and technically possible.
7.10 Certain Personal Data, Device Data, Sensor Data, CGM Data or Health Data may be required for customer support, complaint handling, warranty assessment, sensor replacement requests, product safety, vigilance, post market surveillance, quality management, regulatory compliance, legal claims and security purposes. Without such information, Maralvion may be unable to handle your request, investigate the issue, assess a replacement request or comply with applicable obligations.
7.11 Marketing, optional analytics, advertising technologies and similar optional processing are not mandatory. Declining or withdrawing consent for such processing does not affect your ability to purchase GlucoSensor™ Q or use core App functionality.
7.12 Where the provision of Personal Data is optional, this is indicated at the point of collection where appropriate.
ARTICLE 8. PURPOSES OF PROCESSING AND LEGAL BASES
8.1 Maralvion processes Personal Data only where a lawful basis applies. Where Health Data or other special category Personal Data is processed, Maralvion also relies on one or more special category conditions as described in Article 6.
8.2 The legal bases described in this Article apply depending on the specific processing activity, the type of Personal Data involved and the purpose for which the Personal Data is processed.
8.3 Account creation and account management. Personal Data may be processed to create, verify, manage, authenticate and secure Accounts, enable access to the Website, webshop, App and related services, manage User preferences, enable login to the App with Account credentials created through the Website or webshop, and support account related communications. The legal bases are performance of a contract, compliance with legal obligations and legitimate interests relating to secure and reliable account management, authentication, service reliability and prevention of misuse.
8.4 Orders, payments, deliveries, returns and subscriptions. Personal Data may be processed to process purchases, subscriptions, order confirmations, payments, invoices, deliveries, shipping updates, returns, refunds, withdrawal requests, subscription management and related customer communications. The legal bases are performance of a contract, compliance with legal obligations, including tax, accounting, consumer protection and product traceability obligations, and legitimate interests relating to business administration, fraud prevention, payment verification, logistics coordination and customer service.
8.5 Operation of the App and GlucoSensor™ Q System. Personal Data, Device Data, Sensor Data, CGM Data and Health Data may be processed to operate the App and GlucoSensor™ Q System, display glucose information, provide alerts, generate reports, support Share & Follow functionality, maintain App performance, enable System functionality, provide technical support and ensure reliable operation of the App and related services. The legal bases are performance of a contract, compliance with legal obligations, legitimate interests relating to service reliability, technical performance, security, troubleshooting and lawful service improvement, and consent where specific optional processing requires consent. Where Health Data is processed, Article 6 applies in addition.
8.6 Health Data and CGM Data. Health Data and CGM Data may be processed to provide glucose monitoring functionality, glucose readings, glucose trends, alerts, reports, automated insights, historical glucose review, Share & Follow functionality, customer support, technical support, product safety monitoring, quality management, post market surveillance, vigilance, complaint handling, regulatory compliance and legal claims. The legal bases are performance of a contract, compliance with legal obligations, legitimate interests where lawful and proportionate, and consent where required. Where Health Data is processed, Article 6 applies in addition.
8.7 Customer support, complaints, warranty handling and sensor replacement requests. Personal Data, Device Data, Sensor Data, support communications and relevant Health Data may be processed to answer questions, provide customer support, resolve technical issues, investigate complaints, assess warranty requests, assess sensor replacement requests, review App information, review screenshots, review sensor session information and communicate with Users about support matters. The legal bases are performance of a contract, compliance with legal obligations and legitimate interests relating to customer support, complaint assessment, fraud prevention, service improvement, dispute handling and protection of legal rights. Where Health Data is processed, Article 6 applies in addition.
8.8 Medical device safety, quality management and regulatory compliance. Personal Data, Device Data, Sensor Data, CGM Data and Health Data may be processed where necessary for product complaint investigations, safety monitoring, product performance monitoring, quality management, post market surveillance, vigilance, serious incident assessment, corrective and preventive actions, field safety corrective actions, recalls, regulatory reporting, audits and compliance with applicable medical device legislation. The legal bases are compliance with legal obligations, legitimate interests relating to product safety, regulatory cooperation, quality management, audit readiness, protection of Users and protection of legal interests, and performance of a contract where processing is connected to customer support, warranty handling, replacement handling or related User services. Where Health Data is processed, Article 6 applies in addition.
8.9 Reports, analytics and automated insights. Personal Data, CGM Data and Health Data may be processed to generate reports, summaries, charts, glucose statistics, Time in Range information, trend analyses, estimated metrics, pattern detection, automated insights and downloadable reports within the App. The legal bases are performance of a contract, legitimate interests relating to maintaining, securing and improving report functionality, and consent where required for optional functionality. Where Health Data is processed, Article 6 applies in addition.
8.10 Marketing communications. Personal Data may be processed to send newsletters, educational information, product updates, surveys, promotional communications and other marketing communications where permitted by applicable law. The legal bases are consent where required, legitimate interests where marketing to existing customers is permitted by applicable law and the User has not objected, and compliance with legal obligations where processing is necessary to maintain consent records, unsubscribe records or proof of marketing compliance. Health Data, CGM Data and Sensor related health information are not used for general advertising, general marketing, behavioural advertising or audience building.
8.11 Cookies, App technologies, analytics and advertising technologies. Personal Data may be processed to operate the Website and App, remember privacy choices, manage consent preferences, secure services, measure Website or App performance, understand usage, improve digital functionality, measure campaign effectiveness and support advertising technologies where permitted by law. The legal bases are consent where required for non essential cookies, pixels, tags, advertising technologies, mobile tracking technologies or similar technologies, legitimate interests for strictly necessary technical processing, Website and App security, service performance, fraud prevention and aggregate service improvement where permitted by law, and compliance with legal obligations.
8.12 Security, fraud prevention and service integrity. Personal Data, technical information, security logs and, where necessary, relevant Device Data, Sensor Data or Health Data may be processed to protect the Website, webshop, App, Accounts, systems, Users and business operations against fraud, misuse, unauthorised access, cyber incidents, account compromise, technical abuse, service disruption and other security risks. The legal bases are legitimate interests relating to cybersecurity, fraud prevention, service integrity, protection of Users and protection of Maralvion’s systems and legal interests, compliance with legal obligations and performance of a contract where security processing is necessary to provide secure access to the Website, App, Account or related services. Where Health Data is processed, Article 6 applies in addition.
8.13 Legal and regulatory compliance. Personal Data, Device Data, Sensor Data, CGM Data and Health Data may be processed where necessary to comply with legal obligations, regulatory requirements, consumer protection requirements, tax obligations, accounting obligations, medical device obligations, audit requirements, competent authority requests, supervisory authority requests, legal claims, dispute handling and enforcement of legal rights. The legal bases are compliance with legal obligations, legitimate interests relating to legal compliance, audit readiness, dispute resolution, risk management and protection of legal rights, and performance of a contract where processing is connected to contractual claims, customer support, warranty handling, returns, refunds or replacement requests. Where Health Data is processed, Article 6 applies in addition.
8.14 Where processing is based on consent or explicit consent, you may withdraw that consent at any time, free of charge, using the contact details, consent settings or App settings made available by Maralvion. Withdrawal does not affect the lawfulness of processing carried out before withdrawal.
8.15 Following withdrawal, Maralvion will stop the processing that was based on consent. Maralvion may continue processing ordinary Personal Data only where another lawful basis applies. Maralvion may continue processing Health Data only where a separate special category condition applies, including medical device safety, vigilance, post market surveillance, quality management, regulatory compliance or legal claims, and only to the extent necessary for that purpose.
ARTICLE 9. APP, SENSOR, CGM DATA AND DEVICE DATA PROCESSING
9.1 The App is used to display, manage and analyse information generated by or entered in connection with the GlucoSensor™ Q System.
9.2 The App may process Account information, Device Data, Sensor Data, CGM Data, alerts, reports, user entered events, Share & Follow settings, technical logs, App performance information, diagnostic information and other information necessary for the operation, support and security of the App and the GlucoSensor™ Q System.
9.3 The GlucoSensor™ Q System generates CGM Data during normal operation of the Sensor and App. CGM Data may include glucose readings, glucose trends, trend indicators, alerts, reports, Time in Range information, sensor session information, sensor performance information and related glucose information.
9.4 CGM Data and glucose readings generated during ordinary App use are primarily processed and stored locally on the User’s mobile device. Maralvion does not routinely store raw glucose readings or full CGM history on its own servers as part of ordinary App use.
9.5 CGM Data, Sensor Data, Device Data or Health Data may be processed outside the User’s mobile device where this is necessary for a specific function or purpose described in this Privacy Policy, including Share & Follow functionality, report export, customer support, technical support, complaint investigation, sensor replacement assessment, product safety, quality management, post market surveillance, vigilance, regulatory compliance, security or legal claims.
9.6 Historical CGM Data may be retained locally in the App to enable Users to review glucose patterns, access historical information and generate reports, subject to the technical functionality of the App and the User’s device. Where Maralvion actually receives or stores historical CGM Data for a lawful purpose, the retention rules in Article 20 apply.
9.7 User entered information may include meals, activity, medication, symptoms, lifestyle notes or other information entered by the User. Such information may constitute Health Data where it relates to the User’s health status or glucose context.
9.8 The App may incorporate, access or interact with manufacturer supplied or manufacturer authorised software components, software development kits, including the Manufacturer SDK, interfaces, communication protocols or other technical components required for use with the GlucoSensor™ Q System.
9.9 Maralvion may customise, configure, localise, operate or manage the App interface, Account environment, language versions, support flows, visual presentation, notifications, reports and other non measurement related App components within Maralvion’s own role.
9.10 Maralvion does not modify the Manufacturer’s underlying glucose measurement algorithm, sensor calculation logic, calibration logic, measurement logic or manufacturer controlled medical measurement functionality.
9.11 The App is intended to support glucose awareness, glucose trend review and diabetes management within the certified intended purpose of the GlucoSensor™ Q System. This Privacy Policy explains privacy and data protection matters and does not define, expand or amend the certified intended purpose of GlucoSensor™ Q.
9.12 The App does not replace professional medical advice, diagnosis, treatment, emergency care or instructions from a qualified healthcare professional. This medical and safety information is addressed in the App EULA, the Legal Disclaimer for the GlucoSensor™ Q App, the Instructions for Use (IFU), product labelling, App warnings and safety notices.
9.13 Maralvion does not sell CGM Data, Health Data or Sensor related health information.
ARTICLE 10. REPORTS, ANALYTICS AND AUTOMATED INSIGHTS
10.1 The App may generate reports, summaries, charts, glucose statistics, Time in Range information, trend analyses, estimated metrics, pattern detection, automated insights, downloadable reports and other glucose related summaries based on CGM Data, Sensor Data, Device Data and information entered by the User.
10.2 Reports and automated insights may include glucose trend summaries, high and low glucose patterns, glucose variability information, historical trend analysis, sensor session information, User entered events and related App based visualisations.
10.3 During ordinary App use, reports and related summaries may be generated and stored locally on the User’s mobile device. Maralvion does not routinely store full glucose reports or complete CGM history on its own servers as part of ordinary App use.
10.4 Maralvion may process reports, summaries, screenshots, exported files, CGM Data, Sensor Data, Device Data or related Health Data where the User chooses to export, share, submit or upload such information, or where this is necessary for customer support, technical support, complaint handling, sensor replacement assessment, product safety, quality management, post market surveillance, vigilance, regulatory compliance, security or legal claims.
10.5 Reports and automated insights may be generated using predefined software logic, calculation methods, analytical models, presentation rules, the Manufacturer SDK, manufacturer supplied or manufacturer authorised components or other technical components, depending on the App configuration and applicable System functionality.
10.6 Reports, summaries, statistics and automated insights may be incomplete, delayed, estimated or affected by missing data, Sensor performance, User behaviour, connectivity, mobile device settings, App configuration, input accuracy and other technical or practical factors.
10.7 No decisions producing legal effects concerning you or similarly significant effects are made solely through automated processing within the meaning of the GDPR.
10.8 Automated processing is not used by Maralvion for decisions relating to diagnosis, treatment selection, insurance eligibility, employment, creditworthiness, legal status or other decisions producing legal or similarly significant effects.
10.9 Health Data, CGM Data, Sensor Data and reports are not used for general advertising, general marketing, behavioural advertising or audience building.
10.10 Where future App functionality materially changes the processing of Personal Data or Health Data, Maralvion will update this Privacy Policy and obtain additional consent where required by law.
ARTICLE 11. SHARE & FOLLOW FUNCTIONALITY
11.1 The App may allow Users to share selected glucose related information with authorised individuals through Share & Follow functionality, where this functionality is available.
11.2 Authorised individuals may include family members, caregivers, healthcare professionals or other individuals selected by the User.
11.3 The User determines whether Share & Follow functionality is activated, which individual is invited, which information is shared and when sharing is changed or stopped, subject to the technical options available in the App.
11.4 Depending on the available functionality, sharing permissions may be modified, restricted or withdrawn by the User.
11.5 Authorised recipients may receive access to glucose readings, glucose trends, alerts, reports, Sensor related information and other information selected or enabled for sharing.
11.6 Users are responsible for selecting trusted recipients and for ensuring that the contact details of invited recipients are accurate.
11.7 Maralvion may process Personal Data, CGM Data, Health Data, Sensor Data and recipient contact details where necessary to enable, manage, secure, troubleshoot or support Share & Follow functionality.
11.8 Once information has been shared with an authorised recipient, that recipient may independently use, store, disclose, copy, forward or otherwise process such information outside the control of Maralvion.
11.9 Maralvion is responsible for processing Personal Data within the App and related services, but is not responsible for the independent actions of authorised recipients, except where Maralvion is legally responsible under applicable law.
11.10 Withdrawal or modification of Share & Follow access may not affect information that was already received, stored, copied, disclosed or otherwise used by the recipient before access was withdrawn or modified.
11.11 Share & Follow functionality is intended to support awareness and communication with persons selected by the User. It is not an emergency response service, professional monitoring service, healthcare service or guaranteed caregiver response system.
ARTICLE 12. CUSTOMER SUPPORT, COMPLAINTS AND SAFETY REPORTING
12.1 Personal Data may be processed when Users contact customer support, submit a request, submit a complaint, request a sensor replacement, ask a technical question, provide feedback or otherwise communicate with Maralvion.
12.2 Such processing may include identity information, contact information, Account information, order information, Device Data, Sensor Data, support requests, warranty requests, sensor replacement requests, complaint information, technical support information, App screenshots, App logs, exported reports, sensor session information and relevant Health Data where necessary.
12.3 Personal Data may be processed to answer questions, provide customer support, provide technical support, investigate product complaints, investigate technical issues, assess warranty requests, assess sensor replacement requests, assess App information, assess Sensor information, support quality management, support post market surveillance, support vigilance, support product safety and regulatory compliance, prevent fraud or misuse of support procedures and comply with legal or regulatory obligations.
12.4 Where necessary to investigate a product issue, safety concern, complaint, suspected defect, technical issue, App malfunction, Sensor malfunction, adverse event or suspected serious incident, relevant Device Data, Sensor Data, Health Data, CGM Data and communications provided by the User may be reviewed.
12.5 Maralvion may request relevant information from the User, including order details, Sensor details, lot number, serial number, Sensor activation information, App version, mobile device type, operating system, screenshots, error messages, timing of events, circumstances of use, support history, symptoms where relevant and other information reasonably needed to assess the matter.
12.6 Maralvion may retain support communications and complaint related information where necessary for customer service, complaint handling, warranty assessment, sensor replacement assessment, product safety, post market surveillance, vigilance, quality management, regulatory compliance, security, fraud prevention or legal claims.
12.7 Customer support does not provide medical advice, diagnosis, treatment advice, emergency medical assistance, insulin dosing advice or interpretation of glucose reports for medical decision making.
12.8 Health related questions, symptoms, medication questions, treatment decisions and urgent medical concerns must be directed to a qualified healthcare professional or emergency medical services where appropriate.
12.9 Product support requests, technical support requests, complaint submissions, safety reports, sensor replacement requests and medical device related enquiries should be submitted through the official GlucoSensor™ support channels made available through the Website or App.
ARTICLE 13. MARKETING COMMUNICATIONS
13.1 Personal Data may be processed to provide newsletters, educational information, product updates, surveys, promotional communications and other marketing communications where permitted by applicable law.
13.2 Marketing communications may be delivered through email, Website notifications, App notifications, social media channels or other communication channels, where permitted by applicable law and the relevant platform rules.
13.3 Where required by applicable law, marketing communications are based on valid consent.
13.4 Where permitted by applicable law, certain marketing communications may be based on legitimate interests relating to existing customer relationships, provided that the User has not objected and the communication is permitted under applicable marketing and electronic communications rules.
13.5 Consent may be withdrawn and marketing communications may be unsubscribed from at any time.
13.6 Withdrawal of consent or unsubscribing from marketing communications does not affect processing carried out before withdrawal and does not affect the lawfulness of service communications.
13.7 Service communications, Account communications, order communications, security notifications, product safety communications, recall notices, field safety notices, legal notices and regulatory communications are not marketing communications and may continue to be sent where necessary.
13.8 Health Data, CGM Data, glucose readings, glucose trends, Time in Range, hypo events, hyper events, Sensor related health information and other glucose related information are not used for general advertising, general marketing, behavioural advertising or audience building.
13.9 Maralvion may use non sensitive customer information, such as purchase history, country, language preference, marketing preferences and communication history, to manage ordinary customer communications and marketing where permitted by law. Maralvion does not use individual glucose values or CGM history to target general marketing communications.
ARTICLE 14. COOKIES, APP TECHNOLOGIES, ANALYTICS AND ADVERTISING TECHNOLOGIES
14.1 The Website may use cookies, pixels, tags, local storage technologies, consent management technologies and similar technologies. The App may use local storage, device identifiers, App permissions, push notification tokens, diagnostic tools, crash reporting technologies, analytics technologies and similar technologies where implemented and where permitted by applicable law.
14.2 Such technologies may be used to operate the Website and App, maintain security, remember User preferences, manage consent choices, support Account access, support App functionality, support Sensor connection functionality, deliver notifications where enabled, diagnose errors, measure technical performance, improve User experience, support advertising and marketing activities where permitted, and comply with legal or technical requirements.
14.3 Cookie consent preferences may be managed through Cookiebot or any successor consent management platform used by Maralvion. App permissions and notification settings may also be managed through the App, the mobile operating system or the relevant device settings where available.
14.4 Strictly necessary cookies, local storage, technical identifiers and similar technologies may be used where required to operate the Website or App, maintain security, remember privacy choices, provide requested functionality, maintain Account access, support Sensor connection functionality or comply with legal obligations.
14.5 Where required by law, non essential cookies, pixels, tags, advertising technologies, app analytics identifiers, mobile tracking technologies and similar technologies are activated only after valid consent has been obtained.
14.6 Users may modify cookie preferences at any time through the available cookie preference tools. Users may also manage certain App permissions, notification permissions and device settings through the App or the operating system settings where available.
14.7 Certain Website or App functionality may not operate correctly if specific categories of cookies, technologies, permissions or notifications are disabled. This may affect Account access, App functionality, Sensor connection functionality, alerts, notifications, reports, Share & Follow functionality, diagnostics or support functionality.
14.8 Analytics and advertising technologies may be used to understand Website usage, improve digital functionality, measure campaign effectiveness, manage digital marketing and support business operations where permitted by applicable law. App analytics, diagnostic tools and crash reporting technologies may be used where implemented to understand App performance, improve technical reliability, diagnose errors and support secure operation of the App.
14.9 Depending on the Website, App version, country, implementation and consent choices, technologies used may include Google Analytics, Google Ads, Google Tag Manager, Meta technologies, HubSpot technologies, Cookiebot technologies, Apple and Google app platform services, App Store services, push notification services, crash reporting services, diagnostic services and similar technologies.
14.10 Such technologies may process Website visits, pages viewed, App events, App version, device model, operating system information, browser information, technical identifiers, approximate location information derived from technical data, campaign performance information, advertising interactions, conversion events, cookie identifiers, consent choices, push notification tokens, crash logs, diagnostic logs and service usage patterns.
14.11 Where a provider of analytics, advertising, app platform, diagnostic or similar technologies acts as an independent Controller, joint Controller or Processor, such processing is governed by the applicable contractual arrangements, platform terms, privacy notices and data protection requirements.
14.12 Health Data, CGM Data, glucose readings, glucose trends, Sensor related health information and reports are not used for general advertising cookies, general marketing cookies, behavioural advertising, audience building or general advertising technologies.
14.13 Maralvion applies technical and organisational measures intended to prevent advertising tags, pixels, general marketing cookies or similar advertising technologies from receiving Health Data, CGM Data or Sensor related health information.
14.14 The use of cookies, App technologies, analytics technologies, advertising technologies and related service providers may involve access by providers or sub-processors located outside the European Economic Area. Where this occurs, Article 18 applies.
ARTICLE 15. AUTHORISED SERVICE PROVIDERS AND OTHER RECIPIENTS
15.1 Maralvion may engage carefully selected Authorised Service Providers to support the operation of the Website, webshop, App, Account environment, GlucoSensor™ Q System and related services.
15.2 Authorised Service Providers may include hosting providers, cloud infrastructure providers, payment providers, logistics providers, customer support providers, technical support providers, analytics providers, advertising technology providers where permitted by law, consent management providers, email and communication providers, App platform providers, diagnostic service providers, crash reporting providers, security providers, professional advisers, auditors, insurers, legal advisers, tax advisers, accounting advisers, regulatory advisers and other service providers required for the purposes described in this Privacy Policy.
15.3 Key service providers may include Google Cloud, HubSpot, Mollie, Google Analytics, Google Ads, Google Tag Manager, Meta technologies, Cookiebot, WordPress and WooCommerce related hosting, plugin and technical service providers, Apple App Store, Google Play, Apple and Google app platform services, push notification services, crash reporting services, diagnostic services and similar technologies or successor providers used for the purposes described in this Privacy Policy.
15.4 Authorised Service Providers may process Personal Data only to the extent necessary to perform their services and in accordance with applicable contractual, confidentiality, security and data protection obligations.
15.5 Where Authorised Service Providers process Personal Data on behalf of Maralvion, they act as Processors and Maralvion implements appropriate data processing agreements or equivalent contractual arrangements where required by applicable law.
15.6 Where Authorised Service Providers or other recipients act as independent Controllers for specific processing activities, such as certain payment, logistics, analytics, advertising, platform, legal, accounting, regulatory or professional services, their own privacy notices and legal obligations may also apply.
15.7 Maralvion takes reasonable steps to select service providers that provide appropriate safeguards in view of the nature of the processing, the sensitivity of the Personal Data involved and the services provided.
15.8 Personal Data may be shared where necessary for the purposes described in this Privacy Policy and only to the extent reasonably necessary for the relevant purpose.
15.9 Recipients of Personal Data may include Authorised Service Providers, hosting providers, payment providers, logistics providers, customer support providers, technical support providers, analytics and advertising technology providers where permitted by law, consent management providers, email and communication providers, professional advisers, auditors, insurers, legal, tax, accounting, regulatory and compliance advisers, the Manufacturer where necessary for manufacturer related purposes, the Authorised Representative, competent authorities, notified bodies, supervisory authorities, courts, tribunals and law enforcement authorities where required or permitted by law.
15.10 Personal Data may be shared where necessary to perform a contract with you, process orders, payments, deliveries, returns, refunds or subscriptions, provide customer or technical support, investigate complaints, warranty requests or sensor replacement requests, comply with legal or medical device obligations, establish, exercise or defend legal claims, protect the rights, property or legitimate interests of Maralvion, protect the safety of Users or third parties, prevent fraud or security incidents, or support product safety, vigilance, post market surveillance, recalls or field safety corrective actions.
15.11 Maralvion does not sell Personal Data, CGM Data, Health Data or Sensor related health information.
15.12 Health Data, CGM Data and Sensor related health information are not shared with third parties for general advertising, general marketing, behavioural advertising or audience building.
15.13 Where Personal Data is shared with Processors acting on behalf of Maralvion, appropriate data processing arrangements are implemented where required by applicable law.
15.14 Where a recipient acts as an independent Controller, that recipient is responsible for its own processing of Personal Data in accordance with applicable law.
15.15 Appropriate contractual, organisational and technical safeguards are implemented where required, taking into account the nature of the processing, the sensitivity of the Personal Data involved and the risks to Users.
15.16 Authorised Service Providers do not become sellers, importers, manufacturers, authorised representatives or medical service providers solely because they provide services to or on behalf of Maralvion.
ARTICLE 16. MANUFACTURER RELATED PROCESSING
16.1 The GlucoSensor™ Q System is manufactured by Dreisam, which acts as the legal Manufacturer of the System.
16.2 Maralvion remains the Controller of Personal Data processed through the Website, webshop, App, Account environment, order handling, customer support and related services described in this Privacy Policy, unless expressly stated otherwise.
16.3 Dreisam is responsible within its manufacturer role for System design, medical device conformity, technical documentation, product safety, vigilance, post market surveillance, quality management, the Manufacturer SDK, manufacturer supplied or manufacturer authorised software components and other manufacturer obligations under applicable medical device legislation.
16.4 Maralvion does not routinely share identifiable Health Data, raw glucose readings or full CGM history with the Manufacturer for general commercial, general marketing or general analytics purposes.
16.5 Where necessary for product safety, technical investigation, complaint handling, sensor replacement assessment, vigilance, post market surveillance, quality management, regulatory compliance, serious incident assessment, field safety corrective actions, recalls, legal claims or manufacturer related obligations, relevant information may be disclosed to, made available to or accessed by the Manufacturer, the Authorised Representative, competent authorities, notified bodies or other relevant parties.
16.6 Such information may include Device Data, Sensor Data, technical and diagnostic information, sensor performance information, App performance information, complaint information, adverse event information, serious incident information, quality assurance information, regulatory information, aggregated information, de identified information, anonymised information and pseudonymised information where appropriate.
16.7 Wherever possible and appropriate, information used for manufacturer related purposes is provided or made available in aggregated, de identified, anonymised or pseudonymised form.
16.8 Identifiable Health Data is disclosed to, made available to or accessible by the Manufacturer only where this is necessary, lawful and proportionate for product safety, complaint investigation, sensor replacement assessment, vigilance, post market surveillance, quality management, regulatory compliance, serious incident assessment, legal claims or another legally permitted purpose.
16.9 Where the Manufacturer independently determines the purposes and means of processing Personal Data for its own legal manufacturer obligations, the Manufacturer acts as an independent Controller for that processing.
16.10 Where the Manufacturer processes Personal Data on behalf of Maralvion, appropriate processor arrangements apply where required by applicable law.
16.11 The App may incorporate, access or interact with manufacturer supplied or manufacturer authorised software components, software development kits, including the Manufacturer SDK, interfaces, communication protocols or other technical components required for use with the GlucoSensor™ Q System.
16.12 Maralvion does not modify the Manufacturer’s underlying glucose measurement algorithm, sensor calculation logic, calibration logic, measurement logic or manufacturer controlled medical measurement functionality.
16.13 Appropriate contractual, technical and organisational safeguards are implemented in respect of Personal Data disclosed to, made available to or accessible by the Manufacturer. Such safeguards may include data processing arrangements, confidentiality obligations, purpose limitation, access limitation, role based access controls, logging, monitoring, encryption where appropriate, secure support procedures, data minimisation and restrictions on bulk export of identifiable Health Data unless necessary, lawful and proportionate for the relevant purpose.
ARTICLE 17. MEDICAL DEVICE SAFETY AND REGULATORY COMPLIANCE
17.1 Personal Data, Device Data, Sensor Data, CGM Data and Health Data may be processed where necessary to comply with applicable medical device legislation, product safety obligations, quality management obligations and related regulatory requirements.
17.2 Such processing may include product complaint investigations, technical issue investigations, sensor issue investigations, serious incident assessment, product safety monitoring, product performance monitoring, corrective and preventive actions, field safety corrective actions, recalls or safety notices, quality management activities, post market surveillance activities, vigilance activities, regulatory reporting, audit readiness and safety or performance related product improvement activities.
17.3 Maralvion may process product related information within its own role as seller, EU importer, App operator and customer support provider, and may cooperate with the Manufacturer, the Authorised Representative, competent authorities, notified bodies, Authorised Service Providers and other relevant parties where necessary for medical device safety or regulatory compliance.
17.4 Where possible and appropriate, Maralvion applies pseudonymisation, aggregation, de identification, anonymisation and data minimisation measures before information is used or disclosed for medical device safety, quality management, post market surveillance, vigilance, regulatory compliance or product improvement purposes.
17.5 Identifiable Health Data is processed for medical device safety, post market surveillance, vigilance, quality management, product safety, regulatory compliance or legal claims only where such processing is necessary, lawful and proportionate.
17.6 Processing carried out for medical device safety, post market surveillance, vigilance, quality management, product safety, regulatory compliance or legal claims may continue after Account closure, App deletion, termination of use or withdrawal of consent where required or permitted by applicable law.
17.7 Nothing in this Privacy Policy limits processing that is necessary to comply with applicable medical device legislation, public health obligations, product safety obligations, serious incident assessment or reporting obligations, field safety corrective actions, recall obligations, competent authority requests, notified body requirements or other regulatory requirements.
17.8 Safety notices, field safety notices, recall notices, mandatory product communications, App update notices, cybersecurity notices, regulatory communications and other safety related communications are not marketing communications and may be sent or displayed where necessary for product safety, user safety, cybersecurity, regulatory compliance or legal compliance.
ARTICLE 18. INTERNATIONAL DATA TRANSFERS
18.1 Maralvion aims to keep core App data, CGM Data and Health Data within the European Economic Area where this is under Maralvion’s control and technically available.
18.2 During ordinary App use, CGM Data and glucose readings are primarily processed and stored locally on the User’s mobile device. Maralvion does not routinely store raw glucose readings or full CGM history on its own servers as part of ordinary App use.
18.3 The App and related core services are intended to use infrastructure located within the European Economic Area where configured and controlled by Maralvion.
18.4 Certain Authorised Service Providers, technology providers, platform providers, analytics providers, advertising providers, support providers, professional advisers, sub processors or their personnel may be established outside the European Economic Area or may access Personal Data from outside the European Economic Area.
18.5 International transfers or access from outside the European Economic Area may occur where this is necessary for hosting, technical support, security, analytics, advertising technologies where permitted by law, platform services, professional advice, legal compliance, regulatory compliance, product safety, technical investigation, complaint handling, vigilance, post market surveillance, quality management, dispute resolution, legal claims or manufacturer related support.
18.6 Where Personal Data is transferred to, or accessed from, a country outside the European Economic Area, such transfer takes place only where permitted under applicable data protection law and on the basis of a lawful transfer mechanism.
18.7 Lawful transfer mechanisms may include an adequacy decision adopted by the European Commission, certification under an adequacy framework recognised by the European Commission where applicable, Standard Contractual Clauses approved by the European Commission, Binding Corporate Rules, explicit consent where legally valid and appropriate, a derogation permitted under the GDPR where applicable, or another lawful transfer mechanism recognised under the GDPR.
18.8 Where required, Maralvion assesses whether the country to which Personal Data is transferred, or from which Personal Data is accessed, provides an adequate level of protection and whether additional contractual, technical or organisational safeguards are necessary.
18.9 International transfers of, or access to, identifiable Health Data are limited to what is necessary for the relevant purpose and are subject to enhanced safeguards where appropriate.
18.10 Safeguards may include Standard Contractual Clauses, supplementary measures where required, purpose limitation, access limitation, confidentiality obligations, role based access controls, logging, monitoring, encryption where appropriate, secure support procedures, data minimisation and restrictions on bulk export of identifiable Health Data unless necessary, lawful and proportionate for the relevant purpose.
18.11 International transfer arrangements and safeguards are reviewed periodically to support continued compliance with applicable data protection law.
18.12 Identifiable Health Data, CGM Data and Sensor related health information are not intentionally transferred outside the European Economic Area for general advertising, general marketing, behavioural advertising or audience building.
ARTICLE 19. DATA SECURITY
19.1 Maralvion implements appropriate technical and organisational measures intended to protect Personal Data against accidental or unlawful destruction, loss, alteration, unauthorised disclosure, unauthorised access and other unlawful processing.
19.2 Such measures may include encryption, access controls, authentication measures, role based access restrictions, logging and monitoring, backup and recovery procedures, vulnerability management, incident response procedures, confidentiality obligations, secure configuration of hosting environments, data minimisation, pseudonymisation or anonymisation where appropriate, and periodic review of relevant security controls.
19.3 Access to Personal Data is restricted to personnel, Authorised Service Providers and other authorised recipients who require such access for legitimate operational, technical, support, legal, quality management, regulatory, security or business purposes.
19.4 Access to Health Data, CGM Data and Sensor related health information is subject to enhanced care because such information may constitute special category Personal Data under the GDPR.
19.5 Maralvion requires personnel and Authorised Service Providers with access to Personal Data to handle such information confidentially and in accordance with applicable contractual, technical, organisational and legal requirements.
19.6 Where Personal Data is processed by Authorised Service Providers on behalf of Maralvion, Maralvion takes reasonable steps to require appropriate confidentiality, security and data protection safeguards.
19.7 Users are responsible for protecting their own mobile device, App access, Account credentials, email account, screen lock, password, biometric access, operating system and security settings.
19.8 Because CGM Data and glucose readings are primarily processed and stored locally on the User’s mobile device during ordinary App use, the security of the User’s mobile device is important. Loss, theft, compromise, unauthorised access or insecure configuration of the User’s mobile device may affect the confidentiality, integrity or availability of locally stored App information.
19.9 No digital system, mobile device, transmission method, storage method or processing environment can be guaranteed to be completely secure.
19.10 Where required by applicable law, Personal Data breaches are assessed and reported to the competent supervisory authority and affected individuals.
19.11 Where a security incident may also affect medical device safety, Sensor performance, App functionality, product performance, vigilance, post market surveillance or regulatory compliance, Maralvion may assess, document, escalate and report the matter in accordance with applicable medical device legislation and internal procedures.
ARTICLE 20. DATA RETENTION
20.1 Maralvion retains Personal Data only for as long as necessary for the purposes for which it was collected, unless a longer retention period is required or permitted by law.
20.2 Retention periods are determined on the basis of the type of Personal Data, the purpose of processing, applicable legal, regulatory, medical device, accounting and tax obligations, applicable limitation periods, security requirements and the need to establish, exercise or defend legal claims.
20.3 During ordinary App use, CGM Data and glucose readings are primarily processed and stored locally on the User’s mobile device. Retention of such locally stored information may depend on the App configuration, the User’s device, App settings, storage capacity, User actions and applicable technical functionality. Maralvion’s server side retention periods apply only to Personal Data that Maralvion or its Authorised Service Providers actually receive or store.
20.4 As a general retention framework, unless a longer or shorter period is required or permitted by applicable law:
(a) Account information is retained for the duration of the Account and generally for up to 24 months after Account closure, unless a longer period is required or permitted for legal, regulatory, security, support, dispute resolution, fraud prevention or medical device related purposes;
(b) order, invoice, transaction and payment related information is retained for the period required under applicable accounting, tax, consumer protection and commercial legislation, which in Poland is generally 5 years from the end of the relevant tax year;
(c) CGM Data, Health Data, Sensor Data and report information actually received or stored by Maralvion for App functionality, support, complaint handling, sensor replacement assessment or other lawful purposes are retained only for as long as necessary for the relevant purpose and are deleted or anonymised within a reasonable period after that purpose ends, unless further retention is required or permitted for medical device safety, vigilance, post market surveillance, quality management, regulatory compliance, security, dispute resolution or legal claims;
(d) customer support records, complaint files, warranty requests, sensor replacement requests, technical support records and related correspondence are generally retained for up to 6 years, or longer where required or permitted for post market surveillance, vigilance, product safety, quality management, regulatory compliance, security, fraud prevention or legal claims;
(e) medical device safety records, complaint records, vigilance records, serious incident records, field safety corrective action records, quality management records and post market surveillance records are retained for the period required under the MDR and related medical device legislation, generally at least 10 years where applicable;
(f) marketing consent records and unsubscribe records are retained for as long as necessary to demonstrate compliance with applicable marketing and data protection laws, generally up to 5 years after the marketing relationship ends or the last relevant interaction occurs;
(g) cookie related and analytics related information is retained in accordance with applicable consent settings, service provider settings and legal requirements, generally not exceeding 26 months unless a shorter period applies or a longer period is legally permitted; and
(h) security logs and fraud prevention records are retained for a limited period necessary to protect systems, investigate incidents and comply with legal obligations, generally between 6 and 24 months, unless a longer period is required or permitted for security, legal, regulatory, dispute resolution or fraud prevention purposes.
20.5 Where a statutory, regulatory, contractual or medical device retention period applies, that period prevails over the general retention periods described in Article 20.4.
20.6 Where Personal Data is no longer required, such information is deleted, anonymised or otherwise securely disposed of, unless further retention is required or permitted by law.
20.7 Information that has been anonymised and can no longer reasonably identify an individual is no longer Personal Data under the GDPR and may be retained and used for statistical, quality management, product improvement, safety monitoring, research, regulatory and business purposes.
20.8 Deletion or anonymisation may not be immediate where Personal Data is contained in backups, security archives or technical logs, provided that such information is protected against routine use and deleted or overwritten in accordance with applicable backup and retention procedures.
20.9 Account closure, App deletion, withdrawal of consent or termination of use does not automatically require immediate deletion of all Personal Data where continued retention is required or permitted for legal obligations, medical device safety, vigilance, post market surveillance, quality management, regulatory compliance, security, fraud prevention, dispute resolution or legal claims.
20.10 Deleting the App from a mobile device may delete or make inaccessible locally stored App data on that device, depending on the mobile operating system, App configuration, backup settings and User actions. App deletion does not automatically delete Personal Data that Maralvion is required or permitted to retain for lawful purposes.
ARTICLE 21. CHILDREN’S PRIVACY
21.1 The Website, webshop, Account registration, App and GlucoSensor™ Q System are intended for individuals who are at least 18 years of age.
21.2 The GlucoSensor™ Q System must not be used by persons under 18 years of age, unless and until such use is expressly permitted under the applicable Instructions for Use (IFU), regulatory documentation and applicable law.
21.3 Maralvion does not knowingly allow minors to independently create Accounts, place orders, activate the App or provide consent for the processing of Personal Data or Health Data.
21.4 If Maralvion becomes aware that Personal Data has been provided by a minor contrary to this Privacy Policy, the App EULA, the Instructions for Use (IFU) or applicable law, Maralvion may delete such information or take other appropriate measures.
ARTICLE 22. YOUR PRIVACY RIGHTS
22.1 Subject to the conditions, limitations and exceptions provided by the GDPR and applicable law, you may have the rights described in this Article.
22.2 Right of access. You may request access to the Personal Data processed about you.
22.3 Right to rectification. You may request correction of inaccurate or incomplete Personal Data.
22.4 Right to erasure. You may request deletion of Personal Data where the conditions for erasure under the GDPR are satisfied.
22.5 Right to restriction of processing. You may request restriction of processing where the conditions under the GDPR are satisfied.
22.6 Right to object. You may object to processing based on legitimate interests where applicable.
22.7 Right to object to direct marketing. You may object to direct marketing at any time.
22.8 Right to data portability. Where applicable, you may request certain Personal Data in a structured, commonly used and machine readable format and transmit such information to another controller.
22.9 Right to withdraw consent. Where processing is based on consent or explicit consent, you may withdraw that consent at any time. Withdrawal does not affect the lawfulness of processing carried out before withdrawal.
22.10 Rights relating to automated decision making. You have the rights provided under the GDPR in relation to automated decision making and profiling, subject to applicable limitations and exceptions.
22.11 The App does not make decisions based solely on automated processing that produce legal effects concerning you or similarly significantly affect you.
22.12 Certain rights may be limited where processing is necessary for legal obligations, medical device safety, post market surveillance, vigilance, quality management, public health reasons, security, fraud prevention, regulatory compliance or the establishment, exercise or defence of legal claims.
22.13 Requests relating to Personal Data may be submitted using the contact details set out in Article 24 of this Privacy Policy.
22.14 Maralvion may request reasonable information to verify your identity before responding to a request.
22.15 Maralvion will respond to valid requests within the time periods required by applicable law. Where permitted by the GDPR, response periods may be extended where requests are complex or numerous.
22.16 No fee is normally charged for responding to valid requests. Where permitted by law, a reasonable fee may be charged or a request may be refused where the request is manifestly unfounded, excessive or repetitive.
22.17 Where a request relates to Health Data, CGM Data, Sensor Data, medical device safety records, complaint records, vigilance records, post market surveillance records, legal claims or regulatory compliance information, Maralvion may need to retain certain information even where deletion or restriction is requested.
22.18 Where Maralvion cannot fully comply with a request, Maralvion will explain the relevant reason where required by applicable law.
22.19 Privacy requests should not be used for urgent medical issues, technical emergencies, product complaints or safety reports. Such matters should be submitted through the official GlucoSensor™ support channels.
ARTICLE 23. LANGUAGE
23.1 This Privacy Policy has been drafted in English.
23.2 Maralvion may make translations or local-language versions of this Privacy Policy available through the Website, App, Account environment, customer support, translation functionality or other communication channels for user convenience, market access, user information, transparency support or compliance support.
23.3 To the extent permitted by mandatory applicable law, the English version is the leading and controlling version for interpretation where there is an ambiguity, discrepancy or inconsistency between the English version and any translated or local-language version of this Privacy Policy.
23.4 Translated and local-language versions should be interpreted consistently with the English version as far as legally possible. If a translated or local-language version appears unclear, incomplete or inconsistent, Maralvion may correct, update or clarify that version.
23.5 Articles 23.2 to 23.4 do not exclude or reduce mandatory data protection rights, transparency requirements, consent requirements, cookie information requirements, consumer protection requirements, medical device language requirements or national rules governing the language in which privacy, consumer, contractual, product or safety information must be supplied, interpreted or made available.
23.6 This Article applies to this Privacy Policy only. It does not determine the controlling language of the IFU, Product labelling, App warnings, safety notices, consent notices, cookie notices, mandatory regulatory information or other mandatory Product, privacy or safety information where applicable law requires specific language versions or specific information to be provided in a particular language.
23.7 If you do not understand this Privacy Policy or any information about the processing of Personal Data or Health Data, you should contact Maralvion before using the relevant Website, webshop, App, Account or GlucoSensor™ Q functionality.
ARTICLE 24. COMPLAINTS, CHANGES AND CONTACT INFORMATION
24.1 If you have concerns regarding the processing of Personal Data, you are encouraged to contact Maralvion first so that the matter can be reviewed and addressed.
24.2 You have the right to lodge a complaint with a competent supervisory authority.
24.3 The competent supervisory authority may include:
President of the Personal Data Protection Office (UODO)
Urząd Ochrony Danych Osobowych
Warsaw
Poland
Website: www.uodo.gov.pl
24.4 Depending on your place of residence, place of work or the location of the alleged infringement, you may also have the right to lodge a complaint with another competent supervisory authority within the European Economic Area.
24.5 Complaints relating to product safety, suspected serious incidents, medical device vigilance, defective products, Sensor malfunction, App malfunction or other medical device related matters should also be submitted through the official GlucoSensor™ support channels so that Maralvion can assess and escalate the matter where required under applicable medical device legislation.
24.6 This Privacy Policy may be amended where this is necessary or appropriate to reflect changes in products, services, technologies, legal obligations, regulatory requirements, medical device obligations, business operations, service providers, international transfer arrangements or data processing activities.
24.7 The version number and effective date shown at the beginning of this Privacy Policy indicate the applicable version.
24.8 Where changes are material, Maralvion will take reasonable steps to inform Users through the Website, the App, email communications or other appropriate communication channels.
24.9 Where required by applicable law, consent or explicit consent will be obtained before implementing changes that require such consent.
24.10 Continued use of the Website, App or GlucoSensor™ Q System after the effective date of an updated Privacy Policy may indicate that the updated Privacy Policy applies to the continued use of the relevant services, subject to applicable law and any consent requirements.
24.11 Changes to this Privacy Policy do not affect the lawfulness of processing carried out before the effective date of the updated Privacy Policy.
24.12 Questions regarding this Privacy Policy, the processing of Personal Data or Health Data, the exercise of privacy rights or privacy related complaints may be directed to:
Maralvion sp. z o.o.
Pl. Władysława Andersa 3
11th Floor
61-894 Poznań
Poland
KRS: 0001235440
Email: support@glucosensor.com
Website: www.glucosensor.com
24.13 Maralvion handles privacy related questions, requests and complaints in accordance with the GDPR, applicable national data protection law and the procedures described in this Privacy Policy. Maralvion may request reasonable information to verify the identity of the requester and to assess the scope, validity and legal basis of the request.
24.14 Maralvion may involve qualified legal, privacy, technical, security or regulatory advisers where appropriate to assess, manage or respond to privacy related requests, data protection matters, security matters, international transfer assessments, medical device related privacy matters, regulatory questions or legal claims. Such involvement is subject to appropriate confidentiality, security and data protection safeguards.
24.15 Where applicable data protection law requires Maralvion to make additional mandatory data protection contact details, notices or supervisory authority communications available, Maralvion will do so through the Website, the App, this Privacy Policy or another appropriate communication channel.
24.16 Product support requests, warranty requests, technical support requests, complaint submissions, safety reports, sensor replacement requests and medical device related enquiries should be submitted through the official GlucoSensor™ support channels made available through the Website or App.
24.17 For urgent medical questions, serious symptoms, suspected hypoglycaemia, suspected hyperglycaemia or medical emergencies, you must contact a qualified healthcare professional or emergency medical services. Maralvion support is not an emergency medical service.